Hello
As I am working on LDAP authentication, I am getting the error:
In handler 'LDAP-auth': Failed to retrieve a group with these settings
Can anyone please guide me what I doing wrong?
My authentication.conf looks as below:
[authentication]
authType = LDAP
authSettings = ldaphost
[ldaphost]
host = XXXX
port = 1389
SSLEnabled = 0
bindDN = cn=Directory Manager
bindDNpassword = XXXX
userBaseDN = dc=XXXX,dc=internal
userBaseFilter = (objectclass=posixAccount)
userNameAttribute = uid
realNameAttribute = cn
groupMappingAttribute = dn
groupBaseDN = ou=groups,dc=XXXX,dc=internal
groupBaseFilter = (objectclass=groupOfNames)
groupNameAttribute = cn
groupMemberAttribute = uniqueMember
timelimit = 10
network_timeout = 15
[roleMap_ldaphost]
admin = splunk-admin
user = splunk-users
That error is trying to tell you that "With the ldap settings you have configured, when splunk tried to look up groups but did not find any".
Fields of intrest along with their description:
groupBaseFilter =
* OPTIONAL
* The LDAP search filter Splunk uses when searching for static groups
* Like userBaseFilter, this is highly recommended to speed up LDAP queries
* See RFC 2254 for more information
* This defaults to no filtering
groupNameAttribute =
* REQUIRED
* This is the group entry attribute whose value stores the group name.
* A typical attribute for this is 'cn' (common name)
* Recall that if you are configuring LDAP to treat user entries as their own
group, user entries must have this attribute
groupMemberAttribute =
* REQUIRED
* This is the group entry attribute whose values are the groups members
* Typical attributes for this are 'member' and 'memberUid'
* For example, consider the groupMappingAttribute example above using
groupMemberAttribute 'member'
* To declare 'splunkuser' as a group member, its attribute 'member' must
have the value 'splunkuser'
Delving a little bit deeper with an example lets say your groups are saved in ou=Matrix Actors,dc=example,dc=com, this will be your groupBaseFilter. Then there are different groups in this ou namely cn=Good Guys,ou=Matrix Actors,dc=example,dc=com and cn=Bad Guys,ou=Groups,dc=example,dc=com. hence 'cn' is going to be your groupNameAttribute. Further more these groups have an attribute called member, for example member: neo, member=smith, member=morpheus. And your ldap has user entries like cn=neo,ou=Matrix Actors,dc=example,dc=com and cn=Trinity,ou=Matrix Actors,dc=example,dc=com. So this kinda explains what these values mean.
Next question would be how to debug this on LDAP server and find out which values should you choose for these attributes.
something to the order of
ldapsearch -x -LLL -H ldap:/// -b dc=cloudapp,dc=net dn
should list all the dn entries (I might be rusty with this) and you can drill down or use some UI tool to browse your ldap tree
We use the following to find the ldap group names which start with splunk -
bindDN = cn=spl_app,cn=users,dc=ms,dc=ds,dc=xxx,dc=com
groupBaseDN = cn=users,dc=ms,dc=ds,dc=xxx,dc=com
groupBaseFilter = (&(objectcategory=group)(cn=splunk*))
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
userBaseDN = cn=users,dc=ms,dc=ds,dc=xxx,dc=com
Do you created the group splunk-admin and splunk-users in authorize.conf file
?
Also take a look at these sources: